Visualizing Network Traffic in RealTime with Zeek & InfluxDB
Posted inBlog technology

Visualizing Network Traffic in RealTime with Zeek & InfluxDB

No Comments

Ever Wonder What’s Really Happening on Your Network?

We’ve all been there. The internet slows down, and you’re left wondering, “What’s going on behind the scenes?” You might fire up ping or traceroute, or even dive into Wireshark’s packet maze—but those tools only give you a fleeting snapshot.

I wanted a living, breathing dashboard that could show real-time trends, unexpected spikes, and curious connections on my home network. That’s when I discovered a killer combo: Zeek + InfluxDB + Grafana.

And yes—it’s way easier than it sounds.

The Tools: My Home Lab Avengers

1. Zeek (formerly Bro)

Zeek isn’t your average firewall—it’s a network traffic analyzer. Instead of blocking things, it watches and logs everything: connections, DNS requests, HTTP traffic, SSL sessions, file transfers—you name it. It transforms raw packet chaos into structured, searchable logs.

2. InfluxDB

InfluxDB is a time-series database, purpose-built for timestamped data—exactly what Zeek generates. It’s lightning-fast for queries like “show me all DNS requests from the last 10 minutes.”

3. Grafana

Grafana turns raw metrics into beautiful, interactive dashboards. Think of it as the data artist of the group, painting a real-time picture of your network activity.

Step 1: Installing Zeek

On my spare Ubuntu box:

bash
sudo apt-get install zeek

Once installed, edit the local.zeek config file (usually in /etc/zeek/ or /usr/local/zeek/etc/). Update your network interface:

zeek
const Bif::interface = "eth0";  # Change to your actual interface from `ip a`

Step 2: Connecting Zeek to InfluxDB

By default, Zeek writes logs to text files. That’s fine, but we want them in InfluxDB.

Install Zeek Package Manager (if needed):

bash
zkg install zeek-influx

This plugin teaches Zeek how to send logs directly to InfluxDB.

Then, in your local.zeek file, add:

zeek
@load packages/zeek-influx
redef Influx::host = "localhost";
redef Influx::port = 8086;
redef Influx::database = "zeek";

Step 3: Setting Up InfluxDB

On the same Ubuntu box:

bash
sudo apt-get install influxdb
sudo systemctl start influxdb

Create the zeek database:

bash
influx
> CREATE DATABASE zeek

Boom—ready for data.

Step 4: Fire It Up

Start Zeek:

bash
sudo zeekctl deploy

Check that data is flowing into InfluxDB:

bash
influx
> USE zeek
> SHOW MEASUREMENTS

You should see tables like conn, dns, http, ssl, etc. That means Zeek is logging in real-time!

Step 5: Visualize with Grafana

  1. Install Grafana.
  2. Set up InfluxDB as a Data Source:
    • URL: http://localhost:8086
    • Database: zeek
  3. Build a dashboard.

Some panels I created:

  • Active connections over time sql SELECT count("uid") FROM "conn" WHERE $timeFilter GROUP BY time($__interval)
  • Top destination ports (Pie Chart)
  • Recent DNS queries (Table View)

(Insert cool dashboard screenshot here!)

Insights & Next Steps

Within minutes, I noticed a smart device was “phoning home” way too often. With this setup, you can:

  • Detect unusual activity (like traffic spikes at 3 AM).
  • Monitor IoT devices.
  • Set Grafana alerts for things like known malicious IPs or abnormal protocols.

Read more about tech blogs . To know more about and to work with industry experts visit internboot.com .

Final Thoughts

If you’re a curious tech tinkerer or a budding network analyst, this setup is both fun and educational. It turns your boring network into a treasure trove of insight—and lets you spot suspicious behavior before it becomes a problem.

No more flying blind. Start seeing your network.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *